This chapter covers Azure AD Domain Services (AADDS), a managed domain service that provides classic Active Directory features like domain join, Group Policy, LDAP, and Kerberos/NTLM authentication without deploying and maintaining domain controllers. For the MS-102 exam, AADDS appears in roughly 5-8% of questions, primarily in the Identity Access domain (objective 2.2). You must understand its architecture, prerequisites, synchronization behavior, and how it differs from Azure AD and on-premises AD DS to answer scenario-based questions correctly.
Jump to a section
Imagine a large company that has an old on-premises Active Directory domain with thousands of users, computers, and printers. The company is moving to the cloud but still has legacy applications that require Kerberos authentication, LDAP queries, or NTLM — they can't talk to Azure AD because they expect a traditional domain controller. To solve this, the company sets up a managed 'satellite office' in the cloud (Azure) staffed by Microsoft employees who maintain a domain controller 24/7. You give them a domain name (e.g., contoso.com), a subnet, and tell them which users from your Azure AD tenant should be allowed to use this legacy domain. They automatically replicate user and group objects from Azure AD into a dedicated managed domain, handle all patching, monitoring, and backups, and expose standard AD endpoints: LDAP, Kerberos, NTLM, DNS. Your legacy VMs in Azure can then join this managed domain just like they would join an on-premises domain. You never RDP into the domain controller — you only configure it through a management plane. If you need to change the domain name or add a secure LDAP certificate, you submit a configuration change; Microsoft applies it. This is Azure AD Domain Services: a managed domain controller service that bridges the gap between cloud-only identity (Azure AD) and legacy directory-aware workloads.
What is Azure AD Domain Services and Why Does It Exist?
Azure AD Domain Services (AADDS) is a Microsoft-managed domain service that provides a subset of traditional Active Directory Domain Services (AD DS) capabilities in the Azure cloud. It is designed for workloads that cannot use modern authentication protocols (OAuth2, SAML, OpenID Connect) and instead rely on legacy protocols such as Kerberos, NTLM, and LDAP. Common examples include:
Line-of-business applications that require Windows Integrated Authentication
SQL Server Reporting Services (SSRS) that uses Kerberos delegation
Remote Desktop Services (RDS) deployments requiring domain-joined session hosts
Legacy file servers using NTFS permissions with AD groups
AADDS eliminates the need to deploy, patch, monitor, and maintain domain controllers in Azure VMs. Microsoft manages the domain controllers as a PaaS (Platform as a Service) offering, ensuring high availability (two domain controllers per domain are deployed across availability zones) and automatic patching.
AADDS is not a replacement for Azure AD. Azure AD is a cloud-based identity and access management service for modern authentication (OAuth, SAML, etc.). AADDS provides traditional AD DS protocols. The two services coexist and synchronize: user and group objects from Azure AD are automatically replicated to AADDS, but AADDS does not sync back to Azure AD – it is a one-way sync from Azure AD to AADDS.
How AADDS Works Internally
When you enable AADDS for an Azure tenant, the following happens under the hood:
1. Domain Creation: Microsoft provisions a managed domain in the Azure region of your choice. The domain uses the DNS name you specify (e.g., aadds.contoso.com). The default domain suffix is <tenant-name>.onmicrosoft.com if you don't specify a custom name.
2. Two Domain Controllers: Microsoft deploys two domain controllers (DCs) in a Windows Server Active Directory forest. These DCs are not accessible via RDP; they are fully managed. They run as VMs in a Microsoft-managed virtual network (a hidden subscription). One DC is the primary, the other is a replica. If the primary fails, the replica takes over automatically.
3. Synchronization with Azure AD: AADDS syncs user accounts, group memberships, and password hashes from Azure AD. The sync is one-way only: changes made in AADDS (e.g., a new user created via ADAC) are not synced back to Azure AD. The sync interval is typically within a few minutes but can take up to 30 minutes for password changes.
- Password Hash Sync: For cloud-only users, password hashes are not stored in Azure AD by default. You must enable password hash synchronization for AADDS to work. This is done during AADDS setup (or later via Azure AD Connect if you have hybrid identity). The hashes must be in the correct format (NT hash for NTLM and Kerberos hash for Kerberos).
4. LDAP and Kerberos Endpoints: AADDS exposes LDAP (port 389), LDAPS (port 636), Kerberos (port 88), and NTLM (port 445) endpoints on the managed domain controllers. These endpoints are accessible only from within the virtual network (or peered networks) where AADDS is enabled, unless you configure secure LDAP over the internet.
5. DNS: AADDS provides DNS services for the managed domain. By default, it uses the domain name as the DNS zone. You can delegate DNS to AADDS from your custom domain.
6. Group Policy: AADDS includes a default Group Policy Object (GPO) for the AADDC Computers and AADDC Users containers. You can create custom GPOs using the Group Policy Management Console (GPMC) on a management VM joined to the managed domain.
Key Components, Values, Defaults, and Timers
SKU: AADDS offers two SKUs: Standard and Premium. Standard supports up to 25,000 objects; Premium supports up to 100,000 objects and includes additional features like resource forest and domain join from any Azure region. (Note: As of 2025, Microsoft has simplified to 'Basic' and 'Enterprise' but the exam may still reference old names; check current documentation.)
Sync Scope: By default, all users and groups from Azure AD are synced. You can configure scoped synchronization to sync only specific groups (Premium SKU).
Password Hash Sync: Required for cloud-only users. Must be enabled before or after domain creation. For hybrid users (synced from on-premises), password hashes are already synced if Azure AD Connect password hash sync is enabled.
Secure LDAP: To enable LDAPS, you must upload a certificate (from a trusted CA or self-signed) and then export the certificate to client machines. The default LDAPS port is 636.
Forest Type: AADDS creates a 'User' forest by default. A 'Resource' forest is available in Premium SKU, which allows you to create a forest that trusts your on-premises AD (one-way outbound trust).
Deployment Time: Enabling AADDS can take 1-2 hours. The domain controllers are provisioned and synchronized during this time.
Backup: Microsoft automatically backs up the managed domain every 12 hours. You can initiate a manual backup via Azure portal. Backups are retained for 30 days.
Monitoring: Azure Monitor provides metrics like 'Total Requests', 'Failed Requests', 'LDAP Bind Time', etc. You can set alerts.
Configuration and Verification Commands
While you cannot directly manage the domain controllers, you can verify connectivity and functionality using standard tools from a domain-joined VM.
Verify domain join:
# On a Windows VM joined to AADDS
Get-WmiObject Win32_ComputerSystem | Select-Object DomainVerify LDAP connectivity:
# Using .NET DirectorySearcher
$ldapPath = "LDAP://aadds.contoso.com/DC=aadds,DC=contoso,DC=com"
$entry = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
$entry.psbase.NameVerify Kerberos authentication:
klist get krbtgtCheck DNS resolution:
nslookup aadds.contoso.comUsing Azure CLI to check AADDS status:
az ds show --name mydomain --resource-group myrg --query provisioningStateHow AADDS Interacts with Related Technologies
Azure AD: AADDS depends on Azure AD for identity data. Users and groups are synced one-way. Password hashes must be available in Azure AD.
Azure AD Connect: For hybrid environments, Azure AD Connect syncs on-premises AD objects to Azure AD. Those objects then sync to AADDS. Password hash sync from on-premises to Azure AD must be enabled.
Azure Virtual Network: AADDS is deployed into a dedicated subnet of a virtual network. The subnet must be delegated to Microsoft.AAD/DomainServices. Network security groups (NSGs) must allow inbound traffic on ports 443 (for management), 3389 (for management, but restricted to Microsoft IPs), 5986 (WinRM), and others for LDAP/Kerberos.
Azure DNS: You can configure custom DNS servers for the virtual network to point to the AADDS IP addresses.
Azure AD Application Proxy: For publishing legacy apps to the internet, you can use Azure AD App Proxy with AADDS for Kerberos constrained delegation.
Azure Files: Azure Files supports identity-based authentication using AADDS for on-premises AD-joined VMs or Azure VMs joined to AADDS.
Limitations and Known Issues
No Schema Extensions: You cannot extend the AD schema (e.g., add custom attributes).
No OU Structure Customization: The default OU structure is AADDC Computers and AADDC Users. You cannot create new OUs manually in the managed domain (though you can create OUs via PowerShell using AD module on a management VM? Actually, Microsoft documentation states that you cannot create custom OUs in the managed domain; all objects go into the default containers. This is a key exam point.)
No Domain Administrator Rights: You are not a domain admin. You have limited administrative privileges (you can manage users and groups within the domain but cannot modify domain-wide settings like password policies).
No Cross-Forest Trusts: By default, AADDS is a single forest. Resource forest (Premium) allows an outbound trust to on-premises AD, but not inbound.
No RDP to DCs: You cannot log into the domain controllers.
Limited to 100,000 Objects: Premium SKU supports up to 100,000 objects. If you exceed this, you must request an increase or use a different solution.
Exam-Relevant Details
The exam expects you to know that AADDS is for legacy protocol support, not for modern auth.
You must know that password hash sync is required for cloud-only users.
You must know that AADDS syncs from Azure AD only, not from on-premises directly (unless via Azure AD Connect).
You must know that you cannot create custom OUs.
You must know the default sync interval (within minutes, but up to 30 min for password changes).
You must know the difference between Standard and Premium SKUs.
You must know that AADDS is deployed into a virtual network with a delegated subnet.
You must know that secure LDAP requires a certificate.
Troubleshooting Common Issues
Domain join fails: Check DNS resolution – the VM must use the AADDS IP addresses as DNS servers. Verify network connectivity and NSG rules.
Password sync not working: Ensure password hash sync is enabled in Azure AD Connect (for hybrid) or that cloud-only users have password hashes (enable via PowerShell or during AADDS setup).
LDAPS not working: Verify the certificate is trusted by the client, the certificate subject matches the domain name, and port 636 is open.
Group Policy not applying: By default, only the AADDC Computers container gets the default GPO. Custom GPOs must be linked to the appropriate containers.
1. Enable AADDS in Azure Portal
Navigate to Azure AD Domain Services in the Azure portal and click 'Create'. Provide the DNS domain name (e.g., contoso.com) – this should be different from your on-premises AD domain to avoid conflicts. Select the SKU (Standard or Premium). Choose the region and the virtual network/subnet where AADDS will be deployed. The subnet must be empty and delegated to Microsoft.AAD/DomainServices. Configure synchronization scope – 'All' or 'Scoped' (Premium only). If you have cloud-only users, you must enable password hash synchronization. Click 'OK' to start deployment. Deployment typically takes 1-2 hours.
2. Configure DNS for the Virtual Network
After AADDS is deployed, note the IP addresses of the two domain controllers (shown in the portal under 'Properties'). These IPs are the DNS servers for the managed domain. Update the DNS settings of the virtual network (or the subnet where your VMs reside) to use these IP addresses as custom DNS servers. This ensures that VMs can resolve the AADDS domain name and locate domain controllers. If you have a custom DNS server, you can set up conditional forwarding to the AADDS IPs. Without correct DNS, domain join and LDAP queries will fail.
3. Enable Password Hash Synchronization
For cloud-only users, password hashes are not stored in Azure AD by default. You must enable this feature. In the AADDS setup, there is an option to 'Enable password hash synchronization' – check this box. For existing tenants, you can use PowerShell to enable it: `Set-AzureADDirectorySetting` (older method) or use the Microsoft Graph API. For hybrid users, ensure Azure AD Connect is configured with password hash sync enabled. Without proper password hashes, users cannot authenticate via NTLM or Kerberos to the managed domain.
4. Join VMs to the Managed Domain
Create Windows VMs in the same virtual network (or a peered network with correct DNS). On each VM, open System Properties, click 'Change' under Computer Name, select 'Domain', and enter the AADDS domain name (e.g., contoso.com). Provide credentials of a user that is a member of the 'AAD DC Administrators' group (this group is created in Azure AD and synced to AADDS). The VM will contact the AADDS domain controllers, create a computer account, and complete the join. Verify by checking that the VM appears in 'AADDC Computers' container (viewable via AD Users and Computers on a management VM).
5. Verify Authentication and Access
After joining, log in with a domain user account. Test Kerberos authentication by running `klist` and confirming a TGT is obtained. Test LDAP query by using `dsquery` or PowerShell. For example: `Get-ADUser -Filter * -Server aadds.contoso.com`. Ensure that Group Policy is applied (run `gpresult /r`). If secure LDAP is configured, test LDAPS connectivity from a remote machine using `ldp.exe` on port 636. Also verify that DNS resolution returns the AADDS IPs for the domain name. If any step fails, check DNS, NSG rules, and password hash synchronization.
Enterprise Scenario 1: Legacy Application Migration
A financial services company has a .NET application that uses Windows Integrated Authentication (Kerberos) and requires LDAP for user lookups. The application runs on Windows Server 2012 R2 VMs. The company wants to migrate these VMs to Azure but cannot modify the application to use modern auth. They enable AADDS in the same region as the VMs, configure DNS to point to the AADDS IPs, join the VMs to the managed domain, and assign the application's service account a user account in Azure AD (synced to AADDS). The application works without code changes. The company uses Premium SKU because they have over 25,000 users. They also enable secure LDAP to allow the application to query LDAP over TLS. The main challenge was ensuring the password hash sync was enabled for cloud-only users – they had to run a PowerShell script to trigger the sync. Performance is monitored via Azure Monitor metrics; average LDAP bind time is under 10ms.
Enterprise Scenario 2: Remote Desktop Services (RDS) with AADDS
A healthcare organization needs to deploy RDS session hosts in Azure for remote workers. The RDS deployment requires domain-joined servers for user profile disks, Group Policy for security settings, and Kerberos authentication. They cannot use Azure AD because RDS does not natively support Azure AD authentication for session hosts. They enable AADDS in the same VNet as the RDS infrastructure. They join the RDS session hosts to the managed domain. They create a 'RDS Users' group in Azure AD, which syncs to AADDS. They configure Group Policy to enforce screen lock and drive redirection. They also use Azure AD Application Proxy to publish the RDS web client. The deployment supports 500 concurrent users. The key consideration is that the AADDS domain name must be different from the on-premises domain to avoid DNS conflicts. They also set up a one-way outbound trust from AADDS (resource forest) to on-premises AD to allow on-premises users to access RDS resources. This required Premium SKU.
What Goes Wrong When Misconfigured
Common misconfigurations include:
- DNS misconfiguration: VMs cannot resolve the AADDS domain, causing domain join failures. Solution: ensure VNet DNS points to AADDS IPs.
- Missing password hash sync: Users can authenticate to Azure AD but not to AADDS. Symptom: login fails with 'The trust relationship between the workstation and the primary domain failed'. Solution: enable password hash sync.
- Incorrect NSG rules: If NSGs block ports 443, 3389 (from Microsoft management IPs), or 636 (LDAPS), the service may become unhealthy. Microsoft monitors these ports; if blocked, the domain may be marked as degraded.
- Using the same domain name as on-premises: This causes DNS conflicts and authentication issues. Always use a different domain name (e.g., aadds.contoso.com).
- Trying to create custom OUs: Not possible in AADDS – all objects go into default containers. Attempting to create OUs via ADUC will fail with an access denied error.
What MS-102 Tests on AADDS (Objective 2.2)
The exam focuses on:
Understanding when to use AADDS vs. Azure AD vs. on-premises AD DS.
Prerequisites: password hash sync, DNS configuration, delegated subnet.
Synchronization direction: one-way from Azure AD to AADDS.
Limitations: no custom OUs, no schema extensions, no domain admin rights.
SKU differences: Standard (up to 25k objects) vs. Premium (up to 100k objects, resource forest, scoped sync).
Secure LDAP certificate requirements.
Integration with Azure Files, RDS, and legacy apps.
Common Wrong Answers and Why Candidates Choose Them
'AADDS can replace on-premises AD DS entirely.' – Wrong. AADDS lacks many AD DS features like schema extensions, custom OUs, and full administrative control. Candidates see 'managed domain' and assume it's a full replacement.
'AADDS syncs bidirectionally with Azure AD.' – Wrong. Sync is one-way. Candidates familiar with Azure AD Connect (which can be bidirectional for device writeback) incorrectly apply that logic.
'You can RDP into the domain controllers to manage them.' – Wrong. The DCs are managed by Microsoft. Candidates think of traditional IaaS VMs.
'Password hash sync is optional.' – Wrong. Without password hashes, NTLM/Kerberos authentication fails. Candidates assume cloud-only users can authenticate using their Azure AD password directly.
'AADDS supports custom OUs for organizing resources.' – Wrong. Only default containers exist. Candidates expect full AD flexibility.
Specific Numbers, Values, and Terms on the Exam
Object limits: Standard: 25,000; Premium: 100,000.
Default sync interval: Password changes propagate within 30 minutes.
Delegated subnet: Must be delegated to Microsoft.AAD/DomainServices.
Ports: LDAP 389, LDAPS 636, Kerberos 88, NTLM 445, management 443 and 5986.
Group Name: AAD DC Administrators – members of this group have administrative privileges on the managed domain.
Forest types: User forest (default), Resource forest (Premium).
Edge Cases and Exceptions
Resource forest trusts: Only one-way outbound trust to on-premises AD. Inbound trusts are not supported.
Scoped synchronization: Only available in Premium SKU. If you need to sync only specific groups, you must upgrade.
Secure LDAP over internet: Possible but requires a certificate and enabling the feature; not recommended for production due to security risks.
Domain name conflicts: If you use the same domain name as your on-premises AD, you will have DNS and authentication issues. Always use a unique domain.
How to Eliminate Wrong Answers
If a question mentions 'custom OUs', 'schema extensions', or 'domain admin', the answer is likely not AADDS.
If a question involves modern auth (OAuth, SAML), the answer is likely Azure AD, not AADDS.
If a question mentions 'bidirectional sync', it's wrong for AADDS.
If a question asks about 'RDP to DCs', it's wrong.
If a question mentions 'password hash sync' as optional, it's wrong.
Look for the phrase 'legacy protocols' or 'Kerberos/NTLM' – that's the key indicator for AADDS.
AADDS provides managed domain services with Kerberos/NTLM/LDAP for legacy workloads.
Synchronization is one-way from Azure AD to AADDS; no writeback.
Password hash sync is required for cloud-only users to authenticate.
Maximum objects: 25,000 (Standard) or 100,000 (Premium).
You cannot create custom OUs, extend the schema, or RDP into DCs.
Only members of 'AAD DC Administrators' group have administrative privileges.
AADDS must be deployed into a delegated subnet in a virtual network.
Secure LDAP requires a trusted certificate and port 636 open.
Resource forest (Premium) allows one-way outbound trust to on-premises AD.
DNS configuration is critical – VMs must use AADDS IPs as DNS servers.
These come up on the exam all the time. Here's how to tell them apart.
Azure AD Domain Services (AADDS)
Managed by Microsoft – no patching or DC maintenance.
Limited to 100,000 objects (Premium SKU).
No custom OUs, no schema extensions, no domain admin rights.
One-way sync from Azure AD; no writeback.
Deployed in Azure virtual network; accessible only from Azure or VPN.
On-Premises Active Directory Domain Services (AD DS)
Self-managed – you handle patching, backups, and high availability.
Scalable to millions of objects (with appropriate hardware).
Full administrative control: custom OUs, schema extensions, domain admin.
Bidirectional replication with other domain controllers.
Deployed on-premises or in IaaS VMs; accessible from any network with connectivity.
Azure AD Domain Services (AADDS)
Provides legacy protocols: Kerberos, NTLM, LDAP.
Supports domain join and Group Policy.
Syncs from Azure AD (one-way).
Requires password hash sync for cloud-only users.
Used for legacy applications that cannot use modern auth.
Azure Active Directory (Azure AD)
Provides modern protocols: OAuth2, SAML, OpenID Connect.
Supports device registration (Azure AD join) and conditional access.
Cloud-native identity provider; no sync needed (unless hybrid).
No password hash storage for cloud-only users by default.
Used for modern apps (SaaS, web, mobile) with single sign-on.
Mistake
AADDS is the same as Azure AD.
Correct
Azure AD is a cloud identity provider for modern authentication (OAuth, SAML). AADDS provides legacy AD protocols (Kerberos, NTLM, LDAP) for domain-joined workloads. They are separate services with different purposes.
Mistake
You can create custom OUs in AADDS.
Correct
AADDS does not support custom OUs. All user and computer objects are placed in the default containers `AADDC Users` and `AADDC Computers`. Any attempt to create OUs via ADUC or PowerShell will fail with an access denied error.
Mistake
AADDS syncs changes bidirectionally with Azure AD.
Correct
Synchronization is one-way: from Azure AD to AADDS. Changes made in AADDS (e.g., modifying a user attribute) are not synced back to Azure AD. If you need bidirectional sync, you must use Azure AD Connect with on-premises AD.
Mistake
Password hash sync is optional for cloud-only users.
Correct
Password hash sync is mandatory for cloud-only users to authenticate via NTLM or Kerberos. Without it, users cannot log in to domain-joined VMs. The hashes must be in NT and Kerberos formats.
Mistake
You can RDP into the AADDS domain controllers.
Correct
The domain controllers are fully managed by Microsoft. You cannot RDP into them. All management is done through the Azure portal, PowerShell, or by using a management VM joined to the domain.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but AADDS is for legacy protocol support. Azure AD joined devices use modern auth (OAuth) and do not require AADDS. However, if you have hybrid Azure AD joined devices that also need Kerberos for on-premises resources, AADDS can provide that. Typically, AADDS is used for Azure VMs that need domain join, not for user devices.
Enabling AADDS typically takes 1-2 hours. This includes provisioning the domain controllers, initial synchronization from Azure AD, and configuration. You can monitor the status in the Azure portal.
No, you cannot change the DNS domain name after creation. You would need to delete the AADDS instance and recreate it with a new name. Plan accordingly.
If you exceed 25,000 objects in Standard SKU, the service may become degraded or stop accepting new objects. You must upgrade to Premium SKU (up to 100,000) or request a limit increase. Microsoft may also suspend the service if the limit is significantly exceeded.
No, AADDS does not support MFA. MFA is a feature of Azure AD. For domain-joined VMs, you can use Azure AD MFA with RD Gateway or Azure AD Application Proxy, but not directly at the AADDS authentication level.
Yes, you can join Linux VMs to AADDS using SSSD or Winbind with Kerberos. However, AADDS is primarily designed for Windows workloads. Linux support is possible but may require additional configuration.
Reset the password in Azure AD (via portal or self-service password reset). The new password hash will sync to AADDS within 30 minutes. You cannot reset the password directly in AADDS.
You've just covered Azure Active Directory Domain Services (AADDS) — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?